Long Arm of the Law Snags Alleged DDoSer

A notorious alleged DDoS attacker is in custody, but even if he's convicted on all counts, it might not deter similar attacks. "There are many people around the world who have been involved in denial-of-service attacks -- some do it for political or hacktivist reasons, others in attempt to blackmail money out of big companies," noted Sophos security consultant Graham Cluley.

Moscow resident Dmitry Olegovich Zubakha, 25, suspected of launching two denial-of-service attacks against Amazon in 2008, has been arrested in Cyprus via an international warrant.

Amazon experienced a sharp drop in orders during the attacks as legitimate customers were unable to complete their transactions, according to the Department of Justice indictment filed in the Western District of Washington.

Double Whammy

The first attack, which was allegedly made with a co-conspirator, began at 10.23 a.m. PT on June 6, 2008. Amazon got it under control by 2.55 p.m.

The second attack against Amazon was launched on June 9, 2008. It took the company three days to fix the situation.

The two attacks no doubt cost Amazon a good bit of money, Graham Cluley, senior technology consultant with
Sophos, told the E-Commerce Times. Not only were customers blocked from placing orders, but Amazon had to spend money and resources as it attempted to deflect the attacks.

Amazon said the costs were beside the point.

"Amazon is willing to expend dollars and energy beyond even what can be economically justified in order to bring cybercriminals to justice," the company said in a statement provided to the E-Commerce Times by spokesperson Mary Osako. "We are delighted to have aided law enforcement in this investigation, and praise them for their relentlessness in this matter."

On to Other Firms

Zubakha is also suspected of targeting other sites, such as Priceline.com and eBay. In one instance a co-conspirator called Priceline.com and offered his services as a consultant to stop the denial-of-service attack.

Charges against Zubakha include conspiracy to intentionally cause damage without authorization to a protected computer, and two counts of intentionally causing damage to a protected computer resulting in a loss of more than US$5,000.

He was also charged with possession of 15 or more unauthorized access devices, as well as aggravated identity theft for a separate incident involving the possession of stolen credit card numbers in October 2009.

It was the credit card theft that helped lead to Zubakha's arrest. In October 2009, authorities traced more than 28,000 stolen credit card numbers to him and his co-conspirator.

Complex Investigation

With so many separate charges -- coupled with the global multijurisdiction issue -- investigating and then having Zubakha arrested by authorities in Cyprus was a complex affair, according to the Justice Department. On the U.S. side, the Secret Service, the U.S. Attorney's Office for the Western District of Washington and the Seattle Police Department worked in tandem to secure his arrest.

The global cooperation is notable, of course -- but so is the coordination among the various U.S. law enforcement entities, security consultant
Robert Siciliano, told the E-Commerce Times.

"The Secret Service, the U.S. Attorney's Office for the Western District of Washington and the Seattle Police Department talking to each other is a direct result of the birth of the Department of Homeland Security," Siciliano said.

There is not a similar law or legal mandate to guide foreign law enforcement agencies in their cooperation in pursuing suspects involved in Internet financial crimes. However, it is widely recognized these crimes are causing significant damage, Siciliano said.

A united front by the U.S. and other foreign agencies shows countries that harboring such suspects is probably not in their best interest, he added.

A Lengthy Jail Term

If found guilty on all charges, Zubakha is facing a number of years in prison. Conspiracy is punishable by up to five years, and intentionally causing damage to a protected computer resulting with a loss of more than US$5,000 is punishable by up to 10 years in prison. Possession of more than 15 unauthorized access devices is punishable by up to 10 years in prison. Aggravated identity theft calls for an additional two years in prison on top of the sentence for the underlying crimes.

Even if he is hit with the full sentencing range, Zubakha's experience is unlikely to become an object lesson for other hackers, Cluley said.

"There are many people around the world who have been involved in denial-of-service attacks -- some do it for political or hacktivist reasons, others in attempt to blackmail money out of big companies," he said. "It's unlikely that the arrest of this alleged DDoSer will prevent others from participating in such attacks in the future."

That said, the cross-border cooperation is very heartening to the Internet security community, Cluley added.

"We're generally seeing improved co-operation between countries in the fight against cybercriminals," he said. "Of course, the work is often complex and can take months or years before progress is made. But Internet attackers should not be under any illusion -- the authorities are cracking down on those who exploit the Internet and disrupt online commerce."

The Justice Department did not respond to our request for further details.